Ernst & Young Distinguished Professor, Accounting, University of Kansas; Director, Ernst & Young Center for Auditing Research and Advanced Technology, School of Business, University of Kansas
This study develops an alternative methodology for the risk analysis of information systems security (ISS), an evidential reasoning approach under the Dempster-Shafer theory of belief functions. The approach has the following important dimensions. First, the evidential reasoning approach provides a rigorous, structured manner to incorporate relevant ISS risk factors, related countermeasures, and their interrelationships when estimating ISS risk. Second, the methodology employs the belief function definition of risk—that is, ISS risk is the plausibility of ISS failures. The proposed approach has other appealing features, such as facilitating cost-benefit analyses to help promote efficient ISS risk management. The paper elaborates the theoretical concepts and provides operational guidance for implementing the method. The method is illustrated using a hypothetical example from the perspective of management and a real-world example from the perspective of external assurance providers. Sensitivity analyses are performed to evaluate the impact of important parameters on the model's results.
We study two aspects of assurance services in electronic commerce. The first deals with the type(s) of evidential networks that will allow a professional accountant to provide assurance. Here, we develop an evidential network model for "WebTrust Assurance," a service being provided by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA). Our model augments the AICPA/CICA approach and provides goals, subgoals and evidence relevant to the overall assurance to be provided. The aggregation of evidence and the resolution of uncertainties follow the belief-function approach. Next we develop a decision-theoretic model for the assurance-planning problem. Our approach is based on estimating the expected value of providing various levels of assurance and is illustrated with several different scenarios that may be faced in practice. We also consider the role of ambiguity in decision situations such as planning WebTrust engagements and calculate bounds in expected value based on whether auditors are conservative or not in their approach to risk.